By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Similar to the two previous cyber-espionage weapons, Gauss'
spreading mechanisms are conducted in a controlled fashion, which emphasize stealth and secrecy for
the operation.

Kaspersky Lab

The Gauss attack
toolkit steals passwords, banking credentials, browser cookies and configuration data of
infected machines. More than 2,500 infections were detected by Kaspersky in May, with the number of
total infections estimated in the tens of thousands.

Gauss' payload is encrypted and so far researchers have not been able to determine what
vulnerabilities it exploits and how it spreads. Victims are running Windows 7 systems. Kaspersky
Lab said the attack toolkit was uncovered following the discovery of the Flame attack toolkit in
June.

Kaspersky Lab is working with the International Telecommunication Union (ITU) to detect and
reduce the risks posed by cyberweapons. The ITU, a UN agency established to discuss international
communications issues, has been trying to gain authority over issues governing the Internet from
private organizations. The Russia-based antivirus giant has detected a number of
nation-state-sponsored cyberattacks, including Stuxnet,
Duqu and the Flame
attack toolkit. No nation-state has claimed responsibility for the use of malware in cyberespionage
activities. But a New York Times report, citing anonymous government sources, said the
United States and Israel were behind the Stuxnet attack that disrupted operations at an Iranian
Nuclear refinery facility. Some characteristics of Flame
and Duqu have been linked to the Stuxnet worm.

Kaspersky Lab provided its analysis of the Gauss toolkit in a blog post
Thursday. The company said Gauss also shares characteristics with Flame, which targeted hundreds of
individuals in Iran and the Middle East. "These include similar architectural platforms, module
structures, code bases and means of communication with command-and-control [C&C] servers," the
security firm said in a statement.

The researchers believe the attack toolkit was used beginning in September 2011. It was
discovered in June 2012, following analysis of the Flame malware. Kaspersky said the C&C
infrastructure was shut down in July, leaving the malware in a dormant state.

"Analysis of Gauss shows it was designed to steal data from several Lebanese banks, including
the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais," Kaspersky said.
"In addition, it targets users of Citibank and PayPal."

Gauss' main module was named by the unknown creators after the German mathematician Johann Carl
Friedrich Gauss. Other components bear the names of famous mathematicians as well, including
Joseph-Louis Lagrange and Kurt Gödel.

Like many malware families, Gauss can collect information from browsers, including the history
of visited websites and passwords. Detailed data on the infected machine is also sent to the
attackers, including specifics of network interfaces, the computer's drives and BIOS
information.

Gauss can also infect USB thumb drives, using the same LNK vulnerability that was previously
used in Stuxnet and Flame. "Gauss is capable of 'disinfecting' the drive under certain
circumstances, and uses the removable media to store collected information in a hidden file,"
Kaspersky said.

While Gauss is similar to Flame in design, the geography of infections is noticeably different.
The highest number of computers hit by Flame was recorded in Iran, while the majority of Gauss
victims were located in Lebanon. The number of infections is also different. Based on telemetry
reported from the Kaspersky Security Network (KSN), Gauss infected approximately 2,500
machines.

"Similar to the two previous cyberespionage weapons, Gauss' spreading mechanisms are conducted
in a controlled fashion, which emphasize stealth and secrecy for the operation," Kaspersky
said.

SearchMidmarketSecurity.com’s tutorials offer IT professionals in-depth lessons and technical advice on the hottest topics in the midmarket IT security industry. Through our tutorials we seek to provide site members with the foundational knowledge needed to deal with the increasingly challenging job of keeping their organizations secure.